1 of 1

nunet_security_pipeline

Last updated: 2024-11-07 21:06:00.446615 File source: link on GitLab

Tl;DR

Before diving into this please read: DevSecOps Maturity Models
Get yourself familiar with our Vulnerability Management Software: DefectDojo

1. Introduction

This document aims to provide a comprehensive overview of the security pipeline architecture implemented in NuNet. It is designed to serve as an informative guide for developers, and stakeholders involved in the software development and deployment process. The primary focus is to detail the various stages of the pipeline, the security tools integrated at each stage, and the specific roles these tools play in enhancing the security of the software development lifecycle. By outlining the workflow, tool specifics, and the conditions under which the pipeline is triggered.

2. DevSevOps Maturity Level 2

What is at DSOMM Maturity Level 2

After spending a few quarters in level 1, you are now quite familiar with all the tooling that performs scans for you. Furthermore, you have also shared this expertise with other engineers and built up effective team communications to provide you prompt feedback. Now, it’s time to level up.

In level 2, we make informed decisions based on minor tweaks to the default rule sets or configuration. This is mostly to test waters.

Let’s look at what happens on all 4 axes at this level:

Static Depth
- Run SAST scans with minor tweaks to rules.
- Run SCA scans with minor tweaks to rules.
- Run Secret scans with minor tweaks to rules.
Dynamic Depth
- Run DAST scans with minor tweaks to baseline settings.
Intensity
- You can now define the frequency of scans to be twice a month.
Consolidation
- You can start adding the findings in a vulnerability register after analysis.

Note: Another important thing to keep in mind at this level is that you are not supposed to fail any builds but you can consult the developers for any concrete findings.

3. Pipeline Workflow

Reference Pipeline

The security tools are applied in different stages of the pipeline workflow. These tools are:

Commit
- Static Analysis Security Testing (SAST)
- Secret Detection
- IaC Best Practices
- Dependency Scanning
- Coverage Fuzz Testing (Not in use)
Build
- Container Scanning
Test
- API Security (Not in use)
- Dynamic Application Security Testing (DAST) (TBD)
Deploy
- Operational Container Scanning (TBD)

3.1 Static Analysis Security Testing (SAST)

While GitLab's SAST framework supports many programming languages, at NuNet, our primary programming languages are Python, Golang and JavaScript.

This pipeline applies to both container and binary projects.

Tools

Triggers

This pipeline is triggered on merge request to every branch.

Stages

It is run on the test (or Security-Test-1) stage.

3.2 Secret Detection

The Secret Detection tool scans repositories to help prevent secrets from being exposed during commits. The primary Secret Detection tool is Gitleaks.

This pipeline applies to both container and binary projects.

Tools

Gitleaks is used for secret detection in repositories.

Triggers

This pipeline is triggered on merge request to every branch.

Stages

It is run on the test (or Security-Test-1) stage.

3.3 Dependency Scanning

This stage analyzes an application's dependencies for known vulnerabilities.

Tools

The primary tool for scanning application dependencies is Gemnasium.

Triggers

This pipeline is currently disabled but can be configured to run every branch commit.

Stages

It is run on the test (or Security-Test-1) stage.

3.4 Container Scanning

The container scanning tool inspects docker images for known vulnerabilities.

Tools

After building the docker image, the following tools scan the built containers.

Trivy (Default Gitlab container scanner)
DockerBench
ClairScan

Triggers

This pipeline is triggered on merge request to every branch.

Stages

This stage is run on the test (or Security-Test-1) stage, primarily after the build stage.

4. Mapping Current Pipeline on Maturity Level 2

Static Depth
- Run SAST scans with minor tweaks to rules. ✅
- Run SCA scans with minor tweaks to rules. ✅
- Run Secret scans with minor tweaks to rules. ✅
Dynamic Depth
- Run DAST scans with minor tweaks to baseline settings. (Binary case) ❌
- Run DAST scans with minor tweaks to baseline settings. (Container Scanning) ✅
Intensity
- Scans to be twice a month. Frequency here is too much, every commit on every branch
Consolidation
- The findings in a vulnerability register after analysis. Vulnerability Management Process designed for this purpose

nunet_security_pipeline

Last updated: 2024-11-07 21:06:00.446615 File source: link on GitLab

Tl;DR

Before diving into this please read: DevSecOps Maturity Models
Get yourself familiar with our Vulnerability Management Software: DefectDojo

1. Introduction

This document aims to provide a comprehensive overview of the security pipeline architecture implemented in NuNet. It is designed to serve as an informative guide for developers, and stakeholders involved in the software development and deployment process. The primary focus is to detail the various stages of the pipeline, the security tools integrated at each stage, and the specific roles these tools play in enhancing the security of the software development lifecycle. By outlining the workflow, tool specifics, and the conditions under which the pipeline is triggered.

2. DevSevOps Maturity Level 2

What is at DSOMM Maturity Level 2

In level 2, we make informed decisions based on minor tweaks to the default rule sets or configuration. This is mostly to test waters.

Let’s look at what happens on all 4 axes at this level:

Static Depth
- Run SAST scans with minor tweaks to rules.
- Run SCA scans with minor tweaks to rules.
- Run Secret scans with minor tweaks to rules.
Dynamic Depth
- Run DAST scans with minor tweaks to baseline settings.
Intensity
- You can now define the frequency of scans to be twice a month.
Consolidation
- You can start adding the findings in a vulnerability register after analysis.

Note: Another important thing to keep in mind at this level is that you are not supposed to fail any builds but you can consult the developers for any concrete findings.

3. Pipeline Workflow

Reference Pipeline

The security tools are applied in different stages of the pipeline workflow. These tools are:

Commit
- Static Analysis Security Testing (SAST)
- Secret Detection
- IaC Best Practices
- Dependency Scanning
- Coverage Fuzz Testing (Not in use)
Build
- Container Scanning
Test
- API Security (Not in use)
- Dynamic Application Security Testing (DAST) (TBD)
Deploy
- Operational Container Scanning (TBD)

3.1 Static Analysis Security Testing (SAST)

While GitLab's SAST framework supports many programming languages, at NuNet, our primary programming languages are Python, Golang and JavaScript.

This pipeline applies to both container and binary projects.

Tools

Triggers

This pipeline is triggered on merge request to every branch.

Stages

It is run on the test (or Security-Test-1) stage.

3.2 Secret Detection

The Secret Detection tool scans repositories to help prevent secrets from being exposed during commits. The primary Secret Detection tool is Gitleaks.

This pipeline applies to both container and binary projects.

Tools

Gitleaks is used for secret detection in repositories.

Triggers

This pipeline is triggered on merge request to every branch.

Stages

It is run on the test (or Security-Test-1) stage.

3.3 Dependency Scanning

This stage analyzes an application's dependencies for known vulnerabilities.

Tools

The primary tool for scanning application dependencies is Gemnasium.

Triggers

This pipeline is currently disabled but can be configured to run every branch commit.

Stages

It is run on the test (or Security-Test-1) stage.

3.4 Container Scanning

The container scanning tool inspects docker images for known vulnerabilities.

Tools

After building the docker image, the following tools scan the built containers.

Trivy (Default Gitlab container scanner)
DockerBench
ClairScan

Triggers

This pipeline is triggered on merge request to every branch.

Stages

This stage is run on the test (or Security-Test-1) stage, primarily after the build stage.

4. Mapping Current Pipeline on Maturity Level 2

Static Depth
- Run SAST scans with minor tweaks to rules. ✅
- Run SCA scans with minor tweaks to rules. ✅
- Run Secret scans with minor tweaks to rules. ✅
Dynamic Depth
- Run DAST scans with minor tweaks to baseline settings. (Binary case) ❌
- Run DAST scans with minor tweaks to baseline settings. (Container Scanning) ✅
Intensity
- Scans to be twice a month. Frequency here is too much, every commit on every branch
Consolidation
- The findings in a vulnerability register after analysis. Vulnerability Management Process designed for this purpose